Yes, SSL bridging is nice if in fact the ISA was inspecting traffic as you suggest.
So precisely what "inspection" is ISA doing? As I understand it (I could be wrong), ISA bridges the connection without actually doing anything to protect your web server. With CP FW-1 you are able to set all sorts of parameters to ensure "safe" http/s traffic. With ISA you need third party products. Am I wrong? Mike Hawkins New York Office: 212-208-3888 White Plains Office: 914-729-2790 Mobile: 917-887-3614 -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Sunday, February 19, 2006 1:43 PM To: [email protected] Subject: Re: [FW-1] ISA Firewall Question ISA has a couple of nice features. One of them is SSL termination. For example, if you have a web server that use SSL and is behind the firewall, CP can't help you inspect traffic headed to it. With ISA, you do this: Set the web server's external DNS entry to an IP address bound to the external interface of the ISA server. Install a copy of the SSL certificate on the ISA server bound to the above IP address. Set ISA to perform SSL Bridging. The traffic looks like this: External SSL connection inbound to web server -> CP -> ISA external interface -> inbound traffic is decrypted and inspected by ISA -> Traffic leaves the ISA server as a new SSL connection to the web server. We use this feature and it works well. I think it's the one big feature missing from CP. We also use ISA for controlling outbound web traffic by user and HTTP virus scanning. It keeps that workload off the firewall. Another really neat feature is that the ISA inbound "listener" ignores connections coming in by IP address and not the DNS name. It makes port scanning virtually useless because ISA just ignores the traffic since the connection is by IP address. Ray >From: "Hawkins, Michael" <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: Re: [FW-1] ISA Firewall Question >Date: Sun, 19 Feb 2006 09:31:25 -0500 > >If you are using websense or some other CVP/UFP server integrated with >FW-1 then ISA brings nothing except for AV protection. > >Mike Hawkins > >New York Office: 212-208-3888 > >White Plains Office: 914-729-2790 > >Mobile: 917-887-3614 > > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[EMAIL PROTECTED] On Behalf Of Robbie >Elliott >Sent: Friday, February 10, 2006 12:36 PM >To: [email protected] >Subject: [FW-1] ISA Firewall Question > >My customer is considering implementing Microsoft's ISA firewall/proxy >application as a secondary line of defense to their Check Point VPN1 >solution and they want to get RPC over HTTP to work. Has anyone done >this >and what are the issues you ran into. Is there a doc on how to set this >up >somewhere? > >Thanks, >Robbie > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= >----------------------------------------------------------------------- ------------------------------------------------------------------------ ---------------------------------- >The information contained in this email is confidential and may also >contain privileged information. Sender does not waive confidentiality or >legal privilege. If you are not the intended recipient please notify the >sender immediately; you should not retain this message or disclose its >content to anyone. >Internet communications are not secure or error free and the sender does >not accept any liability for the content of the email. Although emails are >routinely screened for viruses, the sender does not accept responsibility >for any damage caused. Replies to this email may be monitored. >----------------------------------------------------------------------- ------------------------------------------------------------------------ ---------------------------------- > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The information contained in this email is confidential and may also contain privileged information. Sender does not waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; you should not retain this message or disclose its content to anyone. Internet communications are not secure or error free and the sender does not accept any liability for the content of the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage caused. Replies to this email may be monitored. --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
